Trisul Network Analytics Blog

Tech tips and tricks from the world of network traffic and security monitoring

Do you have packet capture (PCAP) files collecting dust waiting to be consulted only when an alert fires ? If so, you might be missing out on critical insights into your network.

Trisul converts your PCAP files into statistical and topper sketches for hundreds of datapoints, points out elephant and mice flows, and basically lets you start exploring along multiple routes easily.

This blog describes how to run Trisul over PCAP dumps. Part 2 will describe how you can run Snort over the same PCAP dump and integrate the data with Trisul. Free Everything described here is completely free if you can arrange your dumps in 3-day chunks.

Lets jump right into it.

PCAP dataset dump structure can be anything

Trisul is rather powerful in how it processes PCAP dumps.

Sorts all PCAPs in directories and subdirectories in time order. The sorting is done not by filename or timestamp but by looking at the first packet in each file. So you can name your files whatever you want, put it in whatever sub directory you want.

Natively handles gzip and bzip2 compressed files.

Ignores all files that dont look like PCAP files

Run Trisul over your PCAPs

First you create a new context for this data set

cd /usr/local/share/trisul
./mknewcontext mybigpcap1

Then run trisul and point it to the top level directory. You can of course, point it to a file if you have just one PCAP file to process.